add slash to the openapi targeturl when it doesn't have (RedHatProduc…

…tSecurity#151)
jeremychoi · Oct 23, 2023 · 709eaed · 709eaed
1 parent da05a93
commit 709eaed
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/scanners/zap/zap.py b/scanners/zap/zap.py
@@ -366,10 +366,7 @@ def _setup_zap_automation(self):
             af_context = find_context(self.automation_config)
             app_url = self.config.get("application.url")
             if app_url and isinstance(app_url, str):
-                if not app_url.endswith("/"):
-                    # For some unknonw reason, ZAP appears to behave weirdly if the URL is just the hostname without '/'
-                    app_url = app_url + "/"
-                af_context["urls"].append(app_url)
+                af_context["urls"].append(self._append_slash_to_url(app_url))
             else:
                 logging.error("Configuration: ZAP requires an application.url entry")
                 raise KeyError("Missing `application.url` in configuration")
@@ -413,6 +410,12 @@ def _setup_import_urls(self):
         job["parameters"]["fileName"] = dest
         self.automation_config["jobs"].append(job)
 
+    def _append_slash_to_url(self, url):
+        # For some unknown reason, ZAP appears to behave weirdly if the URL is just the hostname without '/'
+        if not url.endswith("/"):
+            url = url + "/"
+        return url
+
     def _setup_api(self):
         """Prepare an openapi job and append it to the job list"""
 
@@ -433,9 +436,11 @@ def _setup_api(self):
         else:
             logging.warning("No API defined in the config, in apiScan.api")
         # default target: main URL, or can be overridden in apiScan
-        openapi["parameters"]["targetUrl"] = self.my_conf(
-            "apiScan.target"
-        ) or self.config.get("application.url")
+
+        openapi["parameters"]["targetUrl"] = self._append_slash_to_url(
+            self.my_conf("apiScan.target") or self.config.get("application.url")
+        )
+
         openapi["parameters"]["context"] = Zap.DEFAULT_CONTEXT
 
         self.automation_config["jobs"].append(openapi)

diff --git a/tests/scanners/zap/test_setup_podman.py b/tests/scanners/zap/test_setup_podman.py
@@ -33,6 +33,11 @@ def test_setup_basic(test_config):
         == "http://example.com/"
     )
 
+    for item in test_zap.automation_config["jobs"]:
+        if item["type"] == "openapi":
+            assert item["parameters"]["targetUrl"] == "http://example.com/"
+            break
+
     # Test that a passive scan is added with all rules actively disabled
     for item in test_zap.automation_config["jobs"]:
         if item["type"] == "passiveScan-config":